DevOps:Doc/FlexForm/2.5/API/FlexFormOpen
← Older editNewer edit →
VisualWikitext
No edit summary
ws-class-props
Line 1: Line 1:
{{Csp class properties
{{Csp class properties
|Doc subject=DevOps:Doc/FlexForm
|Doc subject=DevOps:Doc/FlexForm
|Subject version=1.1,2.0,2.1,2.5
|Subject version=2.5
|Doc parent=DevOps:Doc/FlexForm/1.1/API
|Doc parent=DevOps:Doc/FlexForm/1.1/API
|Doc sort order=10
|Doc sort order=10

Revision as of 15:31, 23 February 2026

Name

API

Type

FlexFormOpen

Synopsis

Open FlexForm API endpoint for lightweight validation actions.

Description

The FlexFormOpen API provides limited, publicly accessible FlexForm functionality intended for frontend validation use cases. It does not require readapi-rights.

Currently, the available actions are:

  • canUserBeCreated – Checks whether a username can be created.

This API is especially useful when implementing CreateUser forms.

When paired with JavaScript, it allows real-time username validation (e.g., checking whether a username already exists or is invalid) before form submission.

For security reasons, this API is disabled by default.

To enable it, set the following configuration option: 

$wgFlexFormConfig['allowFlexFormOpenAPI'] = true;

Parameters

ffAction – The FlexFormOpen action to execute.

  • canUserBeCreated (required)

additionalData – Additional data required for the action.

  • For canUserBeCreated, this must contain the username to validate. (required)

Action: canUserBeCreated

Checks whether a username:

  • Does not already exist
  • Meets MediaWiki username validation requirements
  • Can safely be created

This action does not create the user. It only performs validation.

Example (JavaScript)

Example using MediaWiki's mw.Api(): 

var api = new mw.Api();

api.get({
    action: "FlexFormOpen",
    ffAction: "canUserBeCreated",
    additionalData: correctedUsername,
    formatversion: 2
}).done(function (data) {

    if (data.canUser === true) {
        console.log("Username can be created.");
    } else {
        console.log("Username cannot be created.");
    }

});

If the API is disabled via configuration (or default): 

{
    "error": {
        "message": "FlexFormOpen API is disabled."
    }
}

Security Considerations

Because this API does not require authentication, it is disabled by default.

It is strongly recommended to:

  • Only enable it when necessary
  • Implement frontend throttling or rate limiting if heavy usage is expected
  • Avoid exposing sensitive validation logic

Future Improvements

In future versions, an optional attribute may be introduced on FlexForm input fields that automatically performs username validation without requiring custom JavaScript.

Retrieved from "https://open-csp.org/index.php?title=DevOps:Doc/FlexForm/2.5/API/FlexFormOpen&oldid=3941"